How Banks Can Adopt the Cloud Securely

Many financial services firms are adopting the cloud but are ignorant or feel they needn’t worry about the risks that cloud computing brings.

The financial services industry is increasingly adopting cloud computing. There’s no denying the compelling advantages to moving to the cloud -- reduced cost, greater flexibility and scalability, increased mobility, and faster deployment to name a few.

The requirement to protect customer information is still a barrier for many firms though. The fact that customer records and information must be secure and confidential is causing a major headache across the industry. Did you know, for example, that you need to protect your customers’ records against any anticipated threats or hazards as well as unauthorized access that could cause substantial harm or inconvenience to the affected customer?

Worryingly, too many are adopting the cloud but are ignorant or feel they needn’t worry about the risks that cloud computing brings. Recent research from Ernst & Young entitled 2012 Global Information Security Survey revealed that 59% of respondents said they used or planned to use cloud services. Yet over 33% had not taken any measures to mitigate security risks.

Your IP is like gold dust

Companies that have implemented cloud computing are now seeing people gain unauthorized access to their intellectual property (IP). And the pursuit of access to such valuable assets will only continue. We are likely to see additional stealthy, sustained attacks, known as advanced persistent threats (APTs) against companies in the future. Given the large quantity of customer data, the financial services industry is a viable and an attractive target. Your IP is like gold dust to a hacker.

Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP -- and your reputation. In August last year, hackers gained access into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Soon after, a journalist from technology publication, Wired, saw his Apple iCloud account compromised by a hacker who gained access by socially engineering the company’s tech support service.

The employees who allowed these high profile breaches to happen were well-meaning but unwitting. Yet, there is always the danger of an intentional inside job. If a member of staff working at a cloud service provider decides to siphon off a client’s data to the highest bidder, it could result in a costly and embarrassing data compromise involving that client’s own customers.

Ignorance is not bliss

As a cloud adopter, you need to understand your responsibilities and remember that reliance on the cloud service provider is not enough. Many organizations unknowingly rely on service level agreements from their cloud service provider and assume they are responsible for their data’s security. It is not acceptable for financial services firms to claim ignorance and blame a breach on a third party provider.

Now that customer records and information can reside anywhere in a digital cloud, it is no longer enough to think of security in terms of physical infrastructure alone. Cloud security must be addressed as well.

Compliance through encryption

Financial services companies should employ encryption to reduce the risk of disclosure or alteration of sensitive information in storage and transit. This is one of the best methods to keep your information safe from hackers. With this approach, a secret pair of digital codes called ‘keys’ is used to encrypt the software. Without these, the software cannot be decrypted.

Encryption therefore protects your vital data against prying eyes, regardless of where it is stored. Entities who attempt to circumvent the company’s protocols for data access will retrieve only scrambled information.

Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this in itself presents a problem. Who should actually own the keys?

Keep the keys, rotate the keys, destroy the keys

Often, third-party cloud service suppliers that encrypt a client’s information retain the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to unencrypted client information.

To help extract organizations from this predicament, Gartner recommends that the client retains, manages the encryption keys locally and ensures the keys are properly rotated and destroyed to keep them secure over time.

There are other considerations for the financial services industry when embracing a cloud computing strategy. First, make information a first-class citizen in the cloud. Above all, ensure that it is protected. Consider regulatory requirements when building strategies to protect your information and ensure that you cover your bases with regards to data export and residency restrictions.

Managing such requirements can be discouraging for many companies whose expertise is not in cloud computing or information security. Working with a trusted third party can help to cover your security needs while maximizing the innovation and competitiveness that the cloud brings.

These recommendations will help you eliminate any data confidentiality and integrity concerns as you fully embrace the cloud and migrate your data and applications. The less time you have to spend worrying about security, the more you can spend on your core business strategies.

Good points. It is also worth noting that regulations still need to catch up to cloud realities. Regulators are notoriously slow at allowing for the use of new technology. For now, playing it safe is best for financial companies, since regulators have not indicated if they will treat cloud security breaches and differently than internal security breaches.

The convenience/quicker/cheaper aspect must of course,a s you say, always be balanced against the security aspect, having a third party in possession/control of your data. It is the eternal struggle of Cloud...

Cloud computing is often faster, cheaper, and more convenient than the business attempting to cover all bases on its own, at least in the beginning. However, the reality of having confidential data in unknown hands is that the potential damage could far outweigh the initial cost and labor savings. That's not even going into the problems it would cause for individuals whose data has been compromised.

Businesses that are entrusted with any variety of confidential data must have a system in place that can adequately control and regulate access to information (covered under current compliance regulations). Ideally, the system is difficult to exploit or modify by design, as every action taken on it is logged. If such defensive measures were implemented at every level for a layered approach to security, a company knows that it has the greatest protection possible.